This chapter covers Cloud Security Posture Management (CSPM), a critical component of Microsoft Defender for Cloud that helps organizations continuously assess and improve their cloud security posture. CSPM is a core topic in the SC-900 exam, appearing in approximately 10-15% of questions related to Security Solutions (Objective 3.1). You will learn how CSPM works, its key features like Secure Score and recommendations, and how it integrates with Azure Policy and Microsoft Defender for Cloud to provide visibility and remediation guidance.
Jump to a section
CSPM is like a building inspector who continuously monitors a large office building for fire code violations, unlocked doors, and structural weaknesses. The inspector does not actively fix problems—that is the job of the building manager—but they produce daily reports noting every window left open, every expired fire extinguisher, and every door without a proper lock. They also compare the current state against a master blueprint (compliance framework) to flag deviations. For example, if the blueprint requires all emergency exits to be unobstructed and the inspector finds a stack of boxes blocking an exit, they log that as a high-severity finding. The inspector uses automated sensors (APIs) to check every door and window, not just a few samples. They also have a baseline from the previous inspection; any change—such as a new door installed without a fire rating—is flagged as a drift. The building manager receives these reports and must decide which issues to fix first based on severity. In the same way, CSPM continuously scans cloud resources (VMs, storage accounts, databases) against security benchmarks (CIS, NIST, Azure Security Benchmark), identifies misconfigurations (public blob containers, unencrypted disks), and provides a prioritized list of recommendations. It does not block the misconfiguration from happening; it alerts after the fact, enabling the security team to remediate.
What is Cloud Security Posture Management (CSPM)?
Cloud Security Posture Management (CSPM) is a set of automated tools and practices that continuously monitor cloud environments for security misconfigurations, compliance violations, and risks. CSPM solutions are designed to provide visibility into the security state of cloud resources, detect deviations from best practices, and recommend remediation actions. The core idea is proactive security: rather than waiting for a breach, CSPM helps identify and fix weaknesses before they are exploited.
CSPM emerged because traditional security tools were not designed for the dynamic, API-driven nature of cloud computing. In on-premises environments, security teams could perform periodic audits and scans. In the cloud, resources are provisioned and decommissioned constantly, making manual audits impractical. CSPM automates the assessment process, providing near real-time visibility into the security posture.
How CSPM Works in Microsoft Defender for Cloud
Microsoft Defender for Cloud includes a built-in CSPM module that assesses Azure resources against security baselines and compliance frameworks. The process works as follows:
Continuous Assessment: Defender for Cloud uses agents (Azure Monitor Agent, Log Analytics agent) and agentless scanning to collect configuration data from Azure resources. For virtual machines, it checks OS configurations, installed software, and network settings. For PaaS services like Azure SQL Database, it queries the resource provider for settings like encryption, firewall rules, and auditing.
Security Policies: CSPM relies on security policies defined in Azure Policy. These policies contain rules that specify desired configurations. For example, a policy might require that all storage accounts have HTTPS traffic only. Defender for Cloud evaluates resources against these policies to determine compliance.
Recommendations: When a resource is found to be non-compliant with a policy, Defender for Cloud generates a recommendation. Each recommendation has a severity level (High, Medium, Low) and a description of the issue and remediation steps. For example, if a virtual machine does not have disk encryption enabled, the recommendation will say "Disk encryption should be applied on virtual machines" with a severity of High.
Secure Score: Microsoft Defender for Cloud calculates a Secure Score based on the compliance status of all resources. The Secure Score is a percentage that represents how well you are following security best practices. Each recommendation contributes a certain number of points to the score. When you remediate a recommendation, you earn those points, increasing the Secure Score. The maximum possible Secure Score is based on all applicable recommendations.
Regulatory Compliance Dashboard: CSPM includes a dashboard that maps recommendations to specific compliance frameworks such as CIS Microsoft Azure Foundations Benchmark, NIST SP 800-53, and PCI DSS. This allows organizations to track their compliance posture against industry standards.
Key Components and Defaults
Secure Score: Ranges from 0% to 100%. Default is based on the initial assessment. Each recommendation has a maximum score impact, which is the number of points you can earn by fully remediating that recommendation across all affected resources. For example, a recommendation might have a max score of 10 points, and if you have 5 affected resources, each resource contributes 2 points.
Recommendations: Over 700 built-in recommendations covering compute, storage, networking, identity, and more. Examples include: "MFA should be enabled on accounts with owner permissions on your subscription", "Storage accounts should restrict network access using VNet rules", "Vulnerabilities should be remediated by a vulnerability assessment solution".
Security Policies: Default initiative is "Azure Security Benchmark" (formerly ASC Default). This initiative includes a set of policies aligned with industry best practices. You can also create custom initiatives.
Compliance Standards: Defender for Cloud supports over 30 compliance standards including SOC 2, ISO 27001, HIPAA, and FedRAMP. You can enable multiple standards simultaneously.
Configuration and Verification
To enable CSPM in Defender for Cloud:
Navigate to Microsoft Defender for Cloud in the Azure portal.
Under "Management", select "Environment settings".
Select the subscription or management group you want to enable.
Toggle "Microsoft Defender for Cloud" on (this enables the CSPM features, though some advanced features require a paid plan).
Under "Security policies", you can view and modify the assigned policies.
To view Secure Score:
In Defender for Cloud, select "Secure Score" from the left menu. You will see the overall score and scores per subscription.
To view recommendations:
Select "Recommendations" from the left menu. You can filter by severity, resource type, and status.
To check compliance with a specific standard:
Select "Regulatory compliance" from the left menu. Choose a standard (e.g., CIS 1.4) to see the compliance status.
Interaction with Related Technologies
CSPM in Azure is tightly integrated with:
Azure Policy: CSPM uses Azure Policy to define and enforce security rules. When you remediate a recommendation, you are essentially applying a policy effect (e.g., DeployIfNotExists, Modify).
Microsoft Defender for Cloud Plans: The free CSPM tier includes Secure Score, recommendations, and compliance assessment. Paid plans (e.g., Defender for Servers, Defender for SQL) add additional capabilities like threat detection and vulnerability scanning.
Azure Advisor: Recommendations from CSPM also appear in Azure Advisor, which provides best practice recommendations for cost, performance, reliability, and security.
Azure Security Benchmark: This is the default policy initiative that maps to industry benchmarks. It is regularly updated to reflect new threats.
Microsoft Graph Security API: CSPM data can be exported via the Security API for integration with SIEMs like Microsoft Sentinel.
How CSPM Differs from Other Security Tools
CSPM vs. SIEM: SIEM (Security Information and Event Management) focuses on collecting and analyzing logs for threat detection. CSPM focuses on configuration assessment and compliance. They complement each other: CSPM identifies misconfigurations that could lead to breaches, while SIEM detects ongoing attacks.
CSPM vs. CWPP: Cloud Workload Protection Platform (CWPP) protects workloads (e.g., VMs, containers) against threats like malware and vulnerabilities. CSPM is broader, covering all cloud resources including network and identity configurations.
CSPM vs. CIEM: Cloud Infrastructure Entitlement Management (CIEM) focuses on managing permissions and entitlements (e.g., who has access to what). CSPM includes some identity-related recommendations but is not as deep.
Common Metrics and Alerts
CSPM generates alerts when certain conditions are met, such as:
A resource becomes non-compliant with a policy.
A high-severity recommendation is generated.
Secure Score drops below a threshold (you can set custom thresholds).
These alerts can be sent via email, integrated with Azure Monitor, or forwarded to SIEM.
Best Practices for CSPM
Prioritize high-severity recommendations: Focus on recommendations that have the highest impact on Secure Score and are most critical (e.g., exposed storage accounts, missing encryption).
Automate remediation: Use Azure Policy's "DeployIfNotExists" effect to automatically fix common misconfigurations when resources are created.
Regularly review Secure Score: Track trends over time to measure improvement.
Enable multiple compliance standards: Especially if your organization must meet regulatory requirements.
Use management groups: Apply policies at the management group level to ensure consistency across subscriptions.
Limitations of CSPM
Agent-based assessment for VMs: Requires the Log Analytics agent or Azure Monitor Agent to be installed for OS-level assessments. Agentless scanning is available for some assessments but is limited.
Not real-time: Assessments are performed periodically (every few hours). There can be a delay between a misconfiguration occurring and it being flagged.
Does not prevent misconfigurations: CSPM detects and recommends, but does not block. To prevent, you need Azure Policy with Deny or Audit effects.
Cost: Some advanced features require paid Defender plans.
Enable Microsoft Defender for Cloud
In the Azure portal, navigate to Microsoft Defender for Cloud. Under 'Management', select 'Environment settings'. Choose the subscription or management group you want to enable. Toggle the 'Microsoft Defender for Cloud' status to 'On'. This activates the free CSPM features including Secure Score, recommendations, and compliance assessment. Optionally, you can enable paid Defender plans for additional protections. After enabling, Defender for Cloud begins an initial assessment of all resources in the selected scope. This assessment can take up to 24 hours to complete, depending on the number of resources.
Review and assign security policies
Defender for Cloud automatically assigns the 'Azure Security Benchmark' initiative to your subscription. To view or modify policies, go to 'Security policy' under 'Management'. You will see the assigned initiative. You can add additional custom policies or initiatives. Policies are evaluated against resources continuously. For example, if a policy requires 'Storage accounts should use HTTPS only', any storage account with HTTP enabled will be marked as non-compliant. The evaluation results are used to generate recommendations and calculate the Secure Score.
View Secure Score and recommendations
In Defender for Cloud, select 'Secure Score' to see your overall security posture as a percentage. The score is calculated based on the compliance status of all recommendations. Each recommendation has a 'Score impact' value. For example, the recommendation 'MFA should be enabled on accounts with owner permissions' might have a max score of 10 points. If you have 5 accounts that need MFA, each account contributes 2 points. To see specific issues, select 'Recommendations'. Here you can filter by severity, resource type, and status. Each recommendation includes a description, remediation steps, and a list of affected resources.
Remediate recommendations
For each recommendation, you can take manual or automated remediation. Manual remediation involves following the steps provided, such as enabling encryption on a storage account. Automated remediation uses Azure Policy's 'DeployIfNotExists' or 'Modify' effects. For example, the recommendation 'Vulnerabilities should be remediated by a vulnerability assessment solution' can be remediated by enabling a vulnerability assessment solution like Qualys or Microsoft Defender for Servers. After remediation, Defender for Cloud reassesses the resource and updates the recommendation status. The Secure Score increases as you remediate.
Monitor regulatory compliance
Navigate to 'Regulatory compliance' in Defender for Cloud. Here you can add compliance standards such as CIS, NIST, PCI DSS, and HIPAA. For each standard, you see a compliance score and a breakdown of controls. Each control maps to one or more recommendations. For example, the CIS control '1.1 Maintain contact email and phone number for security personnel' might map to the recommendation 'Ensure that 'Notify users of password expiration' is set to 'No''. You can track your progress over time and generate reports for auditors. Compliance assessments are updated continuously as resources change.
Enterprise Scenario 1: Large Financial Institution
A global bank with thousands of Azure subscriptions needed to meet PCI DSS compliance. They enabled Microsoft Defender for Cloud and assigned the PCI DSS v3.2.1 compliance standard. The CSPM assessment revealed over 500 non-compliant resources, including storage accounts with public network access and VMs without disk encryption. The security team prioritized high-severity recommendations and used Azure Policy's DeployIfNotExists effect to automatically enable encryption on new VMs. They also set up email alerts for any new high-severity recommendation. Over six months, they improved their Secure Score from 45% to 82% and passed their PCI DSS audit. A key challenge was the volume of recommendations—they used Azure Workbooks to create custom dashboards for different teams (e.g., network team sees networking recommendations, identity team sees MFA recommendations).
Enterprise Scenario 2: Healthcare SaaS Provider
A healthcare SaaS company hosted patient data in Azure and needed to comply with HIPAA. They enabled Defender for Cloud and added the HIPAA HITRUST standard. CSPM flagged that several SQL databases had auditing disabled and that VMs were missing endpoint protection. The security team used the 'Quick Fix' option for some recommendations, which automatically applies remediation via Azure Policy. However, they encountered a problem: one recommendation to enable network security groups (NSGs) on subnets was automatically applied but broke connectivity for a legacy application. They learned to test remediation in a non-production environment first. They also used the 'Regulatory compliance' dashboard to generate reports for their compliance officer. The Secure Score helped them demonstrate continuous improvement to auditors.
Misconfiguration Consequences
When CSPM is misconfigured—for example, if the security policies are too permissive or if recommendations are ignored—the organization may miss critical vulnerabilities. Common misconfigurations include:
Not enabling CSPM on all subscriptions (e.g., only production subscriptions are assessed, leaving dev/test subscriptions unmonitored).
Ignoring high-severity recommendations due to alert fatigue.
Not assigning the appropriate compliance standards (e.g., a healthcare company forgetting to enable HIPAA).
Over-relying on manual remediation, leading to inconsistent fixes.
In one real-world case, a company ignored a recommendation to restrict public access to a storage account. The storage account was compromised, leading to a data breach. CSPM had flagged the issue six months earlier, but it was never remediated. This highlights the importance of acting on recommendations promptly.
What SC-900 Tests on CSPM
The SC-900 exam objective 3.1 covers 'Describe the capabilities of Microsoft Defender for Cloud', which includes CSPM. Specifically, you need to understand:
The purpose of CSPM: continuous assessment, detection of misconfigurations, and compliance monitoring.
Secure Score: what it is, how it is calculated (percentage based on compliance with recommendations).
Recommendations: how they are generated and what they contain (severity, description, remediation steps).
Regulatory compliance dashboard: how it maps recommendations to standards like CIS, NIST, PCI DSS.
The difference between the free CSPM tier and paid Defender plans.
Common Wrong Answers and Why
'CSPM prevents misconfigurations in real time' – This is false. CSPM detects and recommends, but does not block. Prevention is done by Azure Policy with Deny/Modify effects. Candidates often confuse assessment with enforcement.
'Secure Score is based on the number of resources' – Wrong. Secure Score is based on compliance with recommendations, not resource count. A subscription with many resources can have a high score if they are all compliant.
'CSPM only works for virtual machines' – Incorrect. CSPM covers all Azure resources: storage, networking, databases, identity, etc.
'CSPM is a paid feature of Defender for Cloud' – The basic CSPM features (Secure Score, recommendations, regulatory compliance) are free. Only advanced features like threat detection require a paid plan.
Specific Numbers and Terms
Secure Score: ranges 0-100%. Default baseline is 0% until assessment completes.
Recommendations: over 700 built-in.
Compliance standards: over 30 supported.
Assessment frequency: every 24 hours or when resource changes are detected.
Default policy initiative: Azure Security Benchmark (formerly ASC Default).
Edge Cases and Exceptions
Management groups: Policies can be assigned at management group level, affecting all child subscriptions.
Multiple compliance standards: You can enable multiple standards; the dashboard shows compliance per standard.
Secure Score calculation: Points are weighted; some recommendations have higher impact. The maximum score is not 100%—it is based on the current set of recommendations (which can change).
Recommendation lifecycle: A recommendation can become 'Unhealthy' if a resource becomes non-compliant, or 'Healthy' after remediation. There is also 'Not applicable' if the resource type is not relevant.
How to Eliminate Wrong Answers
If an option says CSPM 'blocks' or 'prevents' misconfigurations, it is wrong. CSPM assesses and recommends.
If an option says CSPM is only for VMs, it is wrong. It covers all resource types.
If an option says Secure Score is based on the number of resources, it is wrong. It is based on compliance.
If an option says CSPM requires a paid license, remember that basic CSPM is free.
CSPM continuously assesses Azure resources for misconfigurations and compliance violations.
Secure Score is a percentage measuring compliance with security recommendations.
Recommendations have severity levels (High, Medium, Low) and a score impact value.
Basic CSPM features are free; advanced threat detection requires paid Defender plans.
CSPM does not prevent misconfigurations; it detects and recommends remediation.
Regulatory compliance dashboard maps recommendations to standards like CIS, NIST, PCI DSS.
Default policy initiative is the Azure Security Benchmark.
These come up on the exam all the time. Here's how to tell them apart.
CSPM (Cloud Security Posture Management)
Focuses on assessing security posture and generating recommendations.
Provides a Secure Score to measure overall compliance.
Does not enforce configurations; it detects and recommends.
Includes regulatory compliance dashboards for standards like CIS and NIST.
Built into Microsoft Defender for Cloud (free tier available).
Azure Policy
Focuses on enforcing desired configurations on resources.
Can deny, audit, or modify resources automatically.
Enforces rules at resource creation and continuously.
Does not have a built-in score or compliance dashboard (but can be used with other tools).
Is a separate service in Azure (can be used without Defender for Cloud).
Mistake
CSPM prevents misconfigurations in real time.
Correct
CSPM is a detective control, not a preventive one. It assesses configurations after they are deployed and generates recommendations. To prevent misconfigurations, you must use Azure Policy with Deny or Modify effects.
Mistake
Secure Score is a percentage of resources that are secure.
Correct
Secure Score is calculated based on the compliance status of all recommendations. It is not a simple percentage of resources. Each recommendation contributes a certain number of points, and the score is the ratio of earned points to total possible points.
Mistake
CSPM only works for Azure virtual machines.
Correct
CSPM covers all Azure resource types, including storage accounts, SQL databases, network security groups, key vaults, and identity configurations.
Mistake
CSPM is a paid feature of Microsoft Defender for Cloud.
Correct
The core CSPM features (Secure Score, recommendations, regulatory compliance) are available in the free tier of Defender for Cloud. Paid plans add advanced capabilities like threat detection and vulnerability scanning.
Mistake
CSPM assessments are performed in real time.
Correct
Assessments are performed periodically (typically every 24 hours) and when resource changes are detected. There is a delay between a configuration change and the assessment update.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CSPM is a feature of Microsoft Defender for Cloud that assesses your cloud environment against security best practices and provides a Secure Score and recommendations. Azure Policy is a separate service that enforces rules on resources (e.g., deny creation of unencrypted disks). CSPM uses Azure Policy as the engine to evaluate compliance, but CSPM focuses on posture assessment while Azure Policy focuses on enforcement. In short: CSPM tells you what's wrong; Azure Policy can prevent or fix it.
Yes. The free tier includes the core CSPM features: Secure Score, security recommendations, and regulatory compliance assessment. You do not need to enable any paid plans to use these features. However, some advanced capabilities like threat detection, vulnerability scanning, and just-in-time VM access require paid Defender plans (e.g., Defender for Servers).
CSPM assessments are performed continuously, but the evaluation cycle typically updates every 24 hours. When a resource changes (e.g., a new VM is created or a storage account configuration is modified), the assessment is triggered sooner. However, there is always a slight delay between a change and the recommendation update.
CSPM supports over 30 compliance standards including CIS Microsoft Azure Foundations Benchmark, NIST SP 800-53, PCI DSS, HIPAA HITRUST, ISO 27001, SOC 2, and FedRAMP. You can enable multiple standards simultaneously and view your compliance posture per standard in the Regulatory Compliance dashboard.
CSPM itself does not automatically fix misconfigurations, but it provides recommendations that include remediation steps. You can use Azure Policy's 'DeployIfNotExists' or 'Modify' effects to automatically apply fixes when resources are created or updated. Additionally, some recommendations have a 'Quick Fix' option that applies a policy to automate remediation.
Secure Score is calculated as a percentage: (Earned Points / Total Possible Points) * 100. Each recommendation has a maximum score impact (e.g., 10 points). If a recommendation applies to multiple resources, each resource contributes a portion of the total points. When you remediate a recommendation, you earn the points. The total possible points can change as new recommendations are added or removed.
No, CSPM in Microsoft Defender for Cloud covers Azure resources only. For DevOps security, Microsoft offers GitHub Advanced Security and Azure DevOps security features. However, Defender for Cloud can integrate with these via the Defender for DevOps plan (paid).
You've just covered Cloud Security Posture Management (CSPM) — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?